Michael Coates is currently the Web Security lead at Mozilla. In this role he is responsible for the security lifecycle of Mozilla web applications that are used by millions of users each day. Michael holds a Master's degree in computer security from DePaul University and a Bachelor of Science degree in computer science from the University of Illinois.

+

Michael Coates is the Chairman of the OWASP board. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities.

−

Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted hundreds of security assessments for financial, enterprise and cellular customers worldwide. Michael is an active leader in OWASP since 2008. He is the creator and leader of the AppSensor project, a project to create attack aware applications that leverage real time detection and response capabilities, and is a recognized contributor to the 2010 OWASP Top 10. He is a frequent speaker at security conferences including numerous OWASP conferences in US and Europe, the Chicago Thotcon conference, and has provided application security training for BlackHat and many enterprises.

+

Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup developing an entirely new type of web security product to protect web sites against modern attacks.

+

+

Previously, Michael was the Director of Security Assurance at Mozilla where he founded and grew the Security Assurance and Web Security programs to 25 people.

+

+

Throughout Michael's career he has advised major corporations and governments on secure architecture and software security. He’s also performed hundreds of technical security assessments for financial, enterprise, and cellular

+

customers worldwide. Michael also maintains a security blog at michael-coates.blogspot.com

+

+

Michael holds a Master of Science degree in Computer, Information and Network Security from DePaul University and a Bachelor of Science degree in Computer Science from the University of Illinois at Urbana-Champaign.

==History==

==History==

Line 46:

Line 56:

A bit more in my own words...

A bit more in my own words...

−

Today I work at Mozilla, a company of less then 500 people with a massive footprint with over 450 million users. Here I'm responsible for the security of all of our web applications. This includes threat modeling, secure design, training, testing and continual security maintenance. Security can be tough, and perhaps one of the most interesting challenges is designing security solutions that scale and are usable to such a massive number of people.

+

My day job is at Shape Security - an exciting startup in the heart of silicon valley. Here we're evaluating how applications are compromised and building new approaches to fundamentally change the model of defending applications. This is an exciting role where I focus on the secure design of our product and also evaluating the threat space to educate and understand risks facing large applications.

+

+

I previously worked at Mozilla, a company of 900+ people with a massive footprint with over 450 million users. Here I was responsible for the Mozilla security program. This included security of Firefox, all web applications, servers and infrastructure. As part of this role we led threat modeling, secure design, training, testing and continual security maintenance. Security can be tough, and perhaps one of the most interesting challenges is designing security solutions that scale and are usable to such a massive number of people.

Security is what I do. Like many of us in the security industry, this is more than just a means of employment, it's a hobby and a passion. Throughout my professional career I've had the opportunity to assess and secure a wide variety of systems. Straight out of college my career started in the risk division of a CPA firm. With a focus on financial institutions, our security team performed traditional no knowledge black box penetration assessments, internal network assessments, and even social engineering. Some of my best security stories involve the stories and persona I invented in order to talk my way into the bank's vault or server room (all part of the approved engagement of course).

Security is what I do. Like many of us in the security industry, this is more than just a means of employment, it's a hobby and a passion. Throughout my professional career I've had the opportunity to assess and secure a wide variety of systems. Straight out of college my career started in the risk division of a CPA firm. With a focus on financial institutions, our security team performed traditional no knowledge black box penetration assessments, internal network assessments, and even social engineering. Some of my best security stories involve the stories and persona I invented in order to talk my way into the bank's vault or server room (all part of the approved engagement of course).

Line 54:

Line 66:

I was fortunate enough to land a spot in a top-notch application security consulting firm. With this company I was able to focus every day on threat modeling, code review and web application penetration assessments for the most critical applications in the world. From working on major financial systems to voting devices, I had a chance to really see it all.

I was fortunate enough to land a spot in a top-notch application security consulting firm. With this company I was able to focus every day on threat modeling, code review and web application penetration assessments for the most critical applications in the world. From working on major financial systems to voting devices, I had a chance to really see it all.

−

Don't get me wrong, the deep dive into the technical items is great. I've done it for years. But the key has been bringing that up to overall risk to the business. Managing risk is the driving factor for everyone that we end up doing.

+

Don't get me wrong, the deep dive into the technical items is great. I've done it for years. But the key item has been translating these technical issues into the overall risk to the business and users. Managing risk is the driving factor for everything that we end up doing in security.

+

+

=OWASP Board Candidate 2011=

+

+

'''My Vision For OWASP'''

+

+

Technology is changing at a rapid pace and security plays a vital role in the technology ecosystem. Security should not be seen as a blockade to innovation; instead, security can be leveraged to allow our technology to do more than we ever realized. OWASP is well poised to provide the advanced security knowledge, tools and training to empower companies to integrate security as a product differentiator and impetus for technology advancement.

+

+

My vision for OWASP includes a board that creates opportunities and acts as a catalyst for OWASP projects and the advancement of the OWASP mission. OWASP is powerful because of the massive expertise that we contain from all of our contributors around the world. I believe that the OWASP board should provide the necessary resources, technologies, funding and support for OWASP contributors to be successful in growing security technology, addressing security challenges and sharing these skills with the world.

+

+

In addition, I feel the OWASP board should work to help OWASP identify key challenges that should be focused upon in a planned period of time. The combination of addressing an identified security challenge and continued support for individual project growth will allow OWASP to both leverages our collective expertise and also support organic individual project growth. I believe this two-pronged approach will allow OWASP to continue to grow and create world-class security resources.

+

+

The following areas are key positions that I hold and represent the direction I wish to pursue on the OWASP board:

+

+

* '''Breaking out of the Echo Chamber''': OWASP should focus on working with people that have never heard of OWASP before. I plan to build the necessary presentations, tools and funding to get OWASP members at college campuses and developer conferences to teach OWASP materials.

+

+

* '''Funding''': OWASP is a non-profit and is powered by our mission and our volunteers. However, we can do more if we have the necessary resources to dream big. I plan to pursue grants and funding that enable OWASP to do more to spread our knowledge and advance our mission.

+

+

* '''Integration with Enterprises''': As a security professional employed at a major technology company I wish to further expand OWASP's involvement with corporate entities to address the core risks and challenges they are facing. This involves sitting down with these industries through our global committees and identifying their needs and how we can help meet them.

+

+

* '''Community and Open''': I strongly believe in the O in OWASP. Like the web, security should be open and available to all. The power of OWASP lies in the individuals that donate their time and skills. I plan to grow our community and identify ways we can further strengthen the worldwide community.

Bio

Michael Coates is the Chairman of the OWASP board. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities.

Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup developing an entirely new type of web security product to protect web sites against modern attacks.

Previously, Michael was the Director of Security Assurance at Mozilla where he founded and grew the Security Assurance and Web Security programs to 25 people.

Throughout Michael's career he has advised major corporations and governments on secure architecture and software security. He’s also performed hundreds of technical security assessments for financial, enterprise, and cellular
customers worldwide. Michael also maintains a security blog at michael-coates.blogspot.com

Michael holds a Master of Science degree in Computer, Information and Network Security from DePaul University and a Bachelor of Science degree in Computer Science from the University of Illinois at Urbana-Champaign.

History

A bit more in my own words...

My day job is at Shape Security - an exciting startup in the heart of silicon valley. Here we're evaluating how applications are compromised and building new approaches to fundamentally change the model of defending applications. This is an exciting role where I focus on the secure design of our product and also evaluating the threat space to educate and understand risks facing large applications.

I previously worked at Mozilla, a company of 900+ people with a massive footprint with over 450 million users. Here I was responsible for the Mozilla security program. This included security of Firefox, all web applications, servers and infrastructure. As part of this role we led threat modeling, secure design, training, testing and continual security maintenance. Security can be tough, and perhaps one of the most interesting challenges is designing security solutions that scale and are usable to such a massive number of people.

Security is what I do. Like many of us in the security industry, this is more than just a means of employment, it's a hobby and a passion. Throughout my professional career I've had the opportunity to assess and secure a wide variety of systems. Straight out of college my career started in the risk division of a CPA firm. With a focus on financial institutions, our security team performed traditional no knowledge black box penetration assessments, internal network assessments, and even social engineering. Some of my best security stories involve the stories and persona I invented in order to talk my way into the bank's vault or server room (all part of the approved engagement of course).

My next opportunity led me to a major telecommunication and mobile company. I had the opportunity to work in the security operations center for a period of time where I gain an eye opening experience being on the "other side of the fence". Tasked with defending and investing attacks on a network of 150K seats, there was never a dull moment. I also had the opportunity to transition into the consulting division where I performed secure architecture design review on mobile and telecommunications networks. Another great security story involved an assessment where, with just a tethered cell phone and an international data connection, I was able to gain full control of the data service for the targeted mobile provider in Asia.

I was fortunate enough to land a spot in a top-notch application security consulting firm. With this company I was able to focus every day on threat modeling, code review and web application penetration assessments for the most critical applications in the world. From working on major financial systems to voting devices, I had a chance to really see it all.

Don't get me wrong, the deep dive into the technical items is great. I've done it for years. But the key item has been translating these technical issues into the overall risk to the business and users. Managing risk is the driving factor for everything that we end up doing in security.

OWASP Board Candidate 2011

My Vision For OWASP

Technology is changing at a rapid pace and security plays a vital role in the technology ecosystem. Security should not be seen as a blockade to innovation; instead, security can be leveraged to allow our technology to do more than we ever realized. OWASP is well poised to provide the advanced security knowledge, tools and training to empower companies to integrate security as a product differentiator and impetus for technology advancement.

My vision for OWASP includes a board that creates opportunities and acts as a catalyst for OWASP projects and the advancement of the OWASP mission. OWASP is powerful because of the massive expertise that we contain from all of our contributors around the world. I believe that the OWASP board should provide the necessary resources, technologies, funding and support for OWASP contributors to be successful in growing security technology, addressing security challenges and sharing these skills with the world.

In addition, I feel the OWASP board should work to help OWASP identify key challenges that should be focused upon in a planned period of time. The combination of addressing an identified security challenge and continued support for individual project growth will allow OWASP to both leverages our collective expertise and also support organic individual project growth. I believe this two-pronged approach will allow OWASP to continue to grow and create world-class security resources.

The following areas are key positions that I hold and represent the direction I wish to pursue on the OWASP board:

Breaking out of the Echo Chamber: OWASP should focus on working with people that have never heard of OWASP before. I plan to build the necessary presentations, tools and funding to get OWASP members at college campuses and developer conferences to teach OWASP materials.

Funding: OWASP is a non-profit and is powered by our mission and our volunteers. However, we can do more if we have the necessary resources to dream big. I plan to pursue grants and funding that enable OWASP to do more to spread our knowledge and advance our mission.

Integration with Enterprises: As a security professional employed at a major technology company I wish to further expand OWASP's involvement with corporate entities to address the core risks and challenges they are facing. This involves sitting down with these industries through our global committees and identifying their needs and how we can help meet them.

Community and Open: I strongly believe in the O in OWASP. Like the web, security should be open and available to all. The power of OWASP lies in the individuals that donate their time and skills. I plan to grow our community and identify ways we can further strengthen the worldwide community.